Jan Hutar of Red Hat reports: By altering client side code or with a custom event failure message (via schedule.failSystemAction API call, the Schedule -> Failed Actions -> <action> -> Failed Systems page allows XSS.
Acknowledgements: Name: Jan Hutar (Red Hat)
This issue has been addressed in the following products: Red Hat Satellite 5.8 Red Hat Satellite 5.8 ELS Via RHSA-2017:1558 https://access.redhat.com/errata/RHSA-2017:1558